@better-auth/sso 1.4.17 → 1.4.19

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.17",
+  "version": "1.4.19",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -67,11 +67,12 @@
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
     "tsdown": "^0.17.2",
-    "better-auth": "1.4.17"
+    "better-auth": "1.4.19"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.3.0",
-    "better-auth": "1.4.17"
+    "better-call": "1.1.8",
+    "better-auth": "1.4.19"
   },
   "scripts": {
     "test": "vitest",

package/src/client.ts

@@ -1,4 +1,4 @@
-import type { BetterAuthClientPlugin } from "better-auth";
+import type { BetterAuthClientPlugin } from "better-auth/client";
 import type { SSOPlugin } from "./index";
 
 interface SSOClientOptions {
@@ -21,5 +21,9 @@ export const ssoClient = <CO extends SSOClientOptions>(
 					: false;
 			};
 		}>,
+		pathMethods: {
+			"/sso/providers": "GET",
+			"/sso/providers/:providerId": "GET",
+		},
 	} satisfies BetterAuthClientPlugin;
 };

package/src/domain-verification.test.ts

@@ -286,7 +286,7 @@ describe("Domain verification", async () => {
 
 			dnsMock.resolveTxt.mockResolvedValue([
 				[
-					`better-auth-token-saml-provider-1=${provider.domainVerificationToken}`,
+					`_better-auth-token-saml-provider-1=${provider.domainVerificationToken}`,
 				],
 			]);
 
@@ -471,7 +471,7 @@ describe("Domain verification", async () => {
 					"v=spf1 ip4:50.242.118.232/29 include:_spf.google.com include:mail.zendesk.com ~all",
 				],
 				[
-					`better-auth-token-saml-provider-1=${provider.domainVerificationToken}`,
+					`_better-auth-token-saml-provider-1=${provider.domainVerificationToken}`,
 				],
 			]);
 
@@ -484,6 +484,9 @@ describe("Domain verification", async () => {
 			});
 
 			expect(response.status).toBe(204);
+			expect(dnsMock.resolveTxt).toHaveBeenCalledWith(
+				"_better-auth-token-saml-provider-1.hello.com",
+			);
 		});
 
 		it("should verify a provider domain ownership (custom token verification prefix)", async () => {
@@ -498,7 +501,7 @@ describe("Domain verification", async () => {
 				[
 					"v=spf1 ip4:50.242.118.232/29 include:_spf.google.com include:mail.zendesk.com ~all",
 				],
-				[`auth-prefix-saml-provider-1=${provider.domainVerificationToken}`],
+				[`_auth-prefix-saml-provider-1=${provider.domainVerificationToken}`],
 			]);
 
 			const response = await auth.api.verifyDomain({
@@ -510,6 +513,45 @@ describe("Domain verification", async () => {
 			});
 
 			expect(response.status).toBe(204);
+			expect(dnsMock.resolveTxt).toHaveBeenCalledWith(
+				"_auth-prefix-saml-provider-1.hello.com",
+			);
+		});
+
+		it("should return bad request when provider ID exceeds DNS label limit", async () => {
+			const longProviderId = "a".repeat(50);
+			const { auth, getAuthHeaders } = createTestAuth();
+			const headers = await getAuthHeaders(testUser);
+
+			await auth.api.registerSSOProvider({
+				body: {
+					providerId: longProviderId,
+					issuer: "http://hello.com:8081",
+					domain: "http://hello.com:8081",
+					samlConfig: {
+						entryPoint: "http://idp.com:",
+						cert: "the-cert",
+						callbackUrl: "http://hello.com:8081/api/sso/saml2/callback",
+						spMetadata: {},
+					},
+				},
+				headers,
+			});
+
+			const response = await auth.api.verifyDomain({
+				body: {
+					providerId: longProviderId,
+				},
+				headers,
+				asResponse: true,
+			});
+
+			expect(response.status).toBe(400);
+			expect(await response.json()).toEqual({
+				message:
+					"Verification identifier exceeds the DNS label limit of 63 characters",
+				code: "IDENTIFIER_TOO_LONG",
+			});
 		});
 
 		it("should fail to verify an already verified domain", async () => {
@@ -519,7 +561,7 @@ describe("Domain verification", async () => {
 
 			dnsMock.resolveTxt.mockResolvedValue([
 				[
-					`better-auth-token-saml-provider-1=${provider.domainVerificationToken}`,
+					`_better-auth-token-saml-provider-1=${provider.domainVerificationToken}`,
 				],
 			]);
 

package/src/index.ts

@@ -7,6 +7,12 @@ import {
 	requestDomainVerification,
 	verifyDomain,
 } from "./routes/domain-verification";
+import {
+	deleteSSOProvider,
+	getSSOProvider,
+	listSSOProviders,
+	updateSSOProvider,
+} from "./routes/providers";
 import {
 	acsEndpoint,
 	callbackSSO,
@@ -84,6 +90,10 @@ type SSOEndpoints<O extends SSOOptions> = {
 	callbackSSO: ReturnType<typeof callbackSSO>;
 	callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
 	acsEndpoint: ReturnType<typeof acsEndpoint>;
+	listSSOProviders: ReturnType<typeof listSSOProviders>;
+	getSSOProvider: ReturnType<typeof getSSOProvider>;
+	updateSSOProvider: ReturnType<typeof updateSSOProvider>;
+	deleteSSOProvider: ReturnType<typeof deleteSSOProvider>;
 };
 
 export type SSOPlugin<O extends SSOOptions> = {
@@ -94,6 +104,16 @@ export type SSOPlugin<O extends SSOOptions> = {
 			: {});
 };
 
+/**
+ * SAML endpoint paths that should skip origin check validation.
+ * These endpoints receive POST requests from external Identity Providers,
+ * which won't have a matching Origin header.
+ */
+const SAML_SKIP_ORIGIN_CHECK_PATHS = [
+	"/sso/saml2/callback", // SP-initiated SSO callback (prefix matches /callback/:providerId)
+	"/sso/saml2/sp/acs", // IdP-initiated SSO ACS (prefix matches /sp/acs/:providerId)
+];
+
 export function sso<
 	O extends SSOOptions & {
 		domainVerification?: { enabled: true };
@@ -103,7 +123,7 @@ export function sso<
 ): {
 	id: "sso";
 	endpoints: SSOEndpoints<O> & DomainVerificationEndpoints;
-	schema: any;
+	schema: NonNullable<BetterAuthPlugin["schema"]>;
 	options: O;
 };
 export function sso<O extends SSOOptions>(
@@ -113,7 +133,9 @@ export function sso<O extends SSOOptions>(
 	endpoints: SSOEndpoints<O>;
 };
 
-export function sso<O extends SSOOptions>(options?: O | undefined): any {
+export function sso<O extends SSOOptions>(
+	options?: O | undefined,
+): BetterAuthPlugin {
 	const optionsWithStore = options as O;
 
 	let endpoints = {
@@ -123,6 +145,10 @@ export function sso<O extends SSOOptions>(options?: O | undefined): any {
 		callbackSSO: callbackSSO(optionsWithStore),
 		callbackSSOSAML: callbackSSOSAML(optionsWithStore),
 		acsEndpoint: acsEndpoint(optionsWithStore),
+		listSSOProviders: listSSOProviders(),
+		getSSOProvider: getSSOProvider(),
+		updateSSOProvider: updateSSOProvider(optionsWithStore),
+		deleteSSOProvider: deleteSSOProvider(),
 	};
 
 	if (options?.domainVerification?.enabled) {
@@ -139,6 +165,18 @@ export function sso<O extends SSOOptions>(options?: O | undefined): any {
 
 	return {
 		id: "sso",
+		init(ctx) {
+			const existing = ctx.skipOriginCheck;
+			if (existing === true) {
+				return {};
+			}
+			const existingPaths = Array.isArray(existing) ? existing : [];
+			return {
+				context: {
+					skipOriginCheck: [...existingPaths, ...SAML_SKIP_ORIGIN_CHECK_PATHS],
+				},
+			};
+		},
 		endpoints,
 		hooks: {
 			after: [
@@ -152,10 +190,11 @@ export function sso<O extends SSOOptions>(options?: O | undefined): any {
 							return;
 						}
 
-						const isOrgPluginEnabled = ctx.context.options.plugins?.find(
-							(plugin: { id: string }) => plugin.id === "organization",
-						);
-						if (!isOrgPluginEnabled) {
+						const hasOrganizationPlugin =
+							ctx.context.options.plugins?.some(
+								(plugin) => plugin.id === "organization",
+							) ?? false;
+						if (!hasOrganizationPlugin) {
 							return;
 						}
 

package/src/linking/org-assignment.ts

@@ -1,16 +1,17 @@
 import type { GenericEndpointContext, OAuth2Tokens, User } from "better-auth";
 import type { SSOOptions, SSOProvider } from "../types";
+import { domainMatches } from "../utils";
 import type { NormalizedSSOProfile } from "./types";
 
 export interface OrganizationProvisioningOptions {
 	disabled?: boolean;
-	defaultRole?: "member" | "admin";
+	defaultRole?: string;
 	getRole?: (data: {
 		user: User & Record<string, any>;
 		userInfo: Record<string, any>;
 		token?: OAuth2Tokens;
 		provider: SSOProvider<SSOOptions>;
-	}) => Promise<"member" | "admin">;
+	}) => Promise<string>;
 }
 
 export interface AssignOrganizationFromProviderOptions {
@@ -39,11 +40,11 @@ export async function assignOrganizationFromProvider(
 		return;
 	}
 
-	const isOrgPluginEnabled = ctx.context.options.plugins?.find(
-		(plugin) => plugin.id === "organization",
-	);
-
-	if (!isOrgPluginEnabled) {
+	const hasOrganizationPlugin =
+		ctx.context.options.plugins?.some(
+			(plugin) => plugin.id === "organization",
+		) ?? false;
+	if (!hasOrganizationPlugin) {
 		return;
 	}
 
@@ -105,11 +106,11 @@ export async function assignOrganizationByDomain(
 		return;
 	}
 
-	const isOrgPluginEnabled = ctx.context.options.plugins?.find(
-		(plugin) => plugin.id === "organization",
-	);
-
-	if (!isOrgPluginEnabled) {
+	const hasOrganizationPlugin =
+		ctx.context.options.plugins?.some(
+			(plugin) => plugin.id === "organization",
+		) ?? false;
+	if (!hasOrganizationPlugin) {
 		return;
 	}
 
@@ -118,6 +119,8 @@ export async function assignOrganizationByDomain(
 		return;
 	}
 
+	// Support comma-separated domains for multi-domain SSO
+	// First try exact match (fast path)
 	const whereClause: { field: string; value: string | boolean }[] = [
 		{ field: "domain", value: domain },
 	];
@@ -126,13 +129,25 @@ export async function assignOrganizationByDomain(
 		whereClause.push({ field: "domainVerified", value: true });
 	}
 
-	const ssoProvider = await ctx.context.adapter.findOne<
-		SSOProvider<SSOOptions>
-	>({
+	let ssoProvider = await ctx.context.adapter.findOne<SSOProvider<SSOOptions>>({
 		model: "ssoProvider",
 		where: whereClause,
 	});
 
+	// If not found, search all providers for comma-separated domain match
+	if (!ssoProvider) {
+		const allProviders = await ctx.context.adapter.findMany<
+			SSOProvider<SSOOptions>
+		>({
+			model: "ssoProvider",
+			where: domainVerification?.enabled
+				? [{ field: "domainVerified", value: true }]
+				: [],
+		});
+		ssoProvider =
+			allProviders.find((p) => domainMatches(domain, p.domain)) ?? null;
+	}
+
 	if (!ssoProvider || !ssoProvider.organizationId) {
 		return;
 	}

package/src/oidc.test.ts

@@ -393,9 +393,7 @@ describe("SSO disable implicit sign in", async () => {
 			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Ftest",
 		);
 		const { callbackURL } = await simulateOAuthFlow(res.url, headers);
-		expect(callbackURL).toContain(
-			"/api/auth/error/error?error=signup disabled",
-		);
+		expect(callbackURL).toContain("/api/auth/error?error=signup disabled");
 	});
 
 	it("should create user with SSO provider when sign ups are disabled but sign up is requested", async () => {